firewall { name DMZ-2-LAN { default-action drop enable-default-log rule 1 { action accept state { established enable } } rule 10 { action accept description "wazuh agent comm with wazuh server" destination { address 172.16.200.10 port 1514,1515 } protocol tcp } } name DMZ-2-WAN { default-action drop enable-default-log rule 420 { action accept description "The Stamp to allow connections" state { established enable } } rule 999 { action accept source { address 172.16.50.3 } } } name LAN-2-DMZ { default-action drop enable-default-log rule 10 { action accept description "80/tcp LAN to web01" destination { address 172.16.50.3 port 80 } protocol tcp } rule 20 { action accept description "22/tcp from MGMT01 to DMZ" destination { address 172.16.50.0/29 port 22 } protocol tcp source { address 172.16.150.10 } } rule 420 { action accept description "The LAN-2-DMZ Stamp of approval" state { established enable } } } name LAN-2-WAN { default-action drop enable-default-log rule 420 { action accept } } name WAN-2-DMZ { default-action drop enable-default-log rule 1 { action accept state { established enable } } rule 10 { action accept description "Allow HTTP from WAN to DMZ" destination { address 172.16.50.3 port 80 } protocol tcp } rule 20 { action accept description "allow ssh from want to dmz" destination { address 172.16.50.4 port 22 } protocol tcp } } name WAN-2-LAN { default-action drop enable-default-log rule 10 { action accept destination { } protocol tcp state { established enable } } } } interfaces { ethernet eth0 { address 10.0.17.115/24 description SEC350-WAN hw-id 00:50:56:a1:c9:2c } ethernet eth1 { address 172.16.50.2/29 description THOMSEN-DMZ hw-id 00:50:56:a1:1e:01 } ethernet eth2 { address 172.16.150.2/24 description THOMSEN-LAN hw-id 00:50:56:a1:e1:dc } loopback lo { } } nat { destination { rule 10 { description HTTP->WEB01 destination { port 80 } inbound-interface eth0 protocol tcp translation { address 172.16.50.3 port 80 } } rule 20 { destination { port 22 } inbound-interface eth0 protocol tcp translation { address 172.16.50.4 port 22 } } } source { rule 10 { description "NAT FROM DMZ TO WAN" outbound-interface eth0 source { address 172.16.50.0/29 } translation { address masquerade } } rule 20 { description "NAT from LAN to WAN" outbound-interface eth0 source { address 172.16.150.0/24 } translation { address masquerade } } rule 30 { description "NAT FROM MGMT TO WAN" outbound-interface eth0 source { address 172.16.200.0/28 } translation { address masquerade } } } } protocols { rip { interface eth2 { } network 172.16.50.0/29 } static { route 0.0.0.0/0 { next-hop 10.0.17.2 { } } } } service { dns { forwarding { allow-from 172.16.50.0/29 allow-from 172.16.150.0/24 listen-address 172.16.50.2 listen-address 172.16.150.2 system } } ssh { listen-address 172.16.150.2 } } system { config-management { commit-revisions 100 } conntrack { modules { ftp h323 nfs pptp sip sqlnet tftp } } console { device ttyS0 { speed 115200 } } host-name fw1-david login { user vyos { authentication { encrypted-password $6$kBzuSikOLAH5pZfq$Nh33peg27vElnZqrjakctM87yxFXruTZpvktkH4KRo4dkqPA4ky5rDjs7vS4Qzn9/DyXW7oDAGJqtY387K7sr0 } } } name-server 10.0.17.2 ntp { server time1.vyos.net { } server time2.vyos.net { } server time3.vyos.net { } } syslog { global { facility all { level info } facility protocols { level debug } } host 172.16.50.5 { facility authpriv { } } } } zone-policy { zone DMZ { from LAN { firewall { name LAN-2-DMZ } } from WAN { firewall { name WAN-2-DMZ } } interface eth1 } zone LAN { from DMZ { firewall { name DMZ-2-LAN } } from WAN { firewall { name WAN-2-LAN } } interface eth2 } zone WAN { from DMZ { firewall { name DMZ-2-WAN } } from LAN { firewall { name LAN-2-WAN } } interface eth0 } } // Warning: Do not remove the following line. // vyos-config-version: "bgp@3:broadcast-relay@1:cluster@1:config-management@1:conntrack@3:conntrack-sync@2:dhcp-relay@2:dhcp-server@6:dhcpv6-server@1:dns-forwarding@3:firewall@7:flow-accounting@1:https@3:interfaces@26:ipoe-server@1:ipsec@9:isis@1:l2tp@4:lldp@1:mdns@1:monitoring@1:nat@5:nat66@1:ntp@1:openconnect@2:ospf@1:policy@3:pppoe-server@5:pptp@2:qos@1:quagga@10:rpki@1:salt@1:snmp@2:ssh@2:sstp@4:system@25:vrf@3:vrrp@3:vyos-accel-ppp@2:wanloadbalance@3:webproxy@2" // Release version: 1.4-rolling-202209130217